Is my company in NIS2 scope?

Decision tree questions

1. Does your company operate in an EU member state?

   NIS2 applies to entities providing services in the EU. Non-EU entities that provide services to EU entities may also be in scope through supply chain obligations.

   • Yes: Continue to: Does your company operate in one of these sectors: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, or public administration?
   • No: Outside NIS2 scope — no EU operations

2. Does your company operate in one of these sectors: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, or public administration?

   These are Annex I 'highly critical' sectors. Annex II adds: postal, waste management, chemicals, food, manufacturing, digital providers, and research. Answer yes if you're in either list.

   • Yes: Continue to: Does your company have at least 50 employees OR an annual turnover or balance sheet of at least €10 million?
   • No: Outside NIS2 sector scope — not in scope

3. Does your company have at least 50 employees OR an annual turnover or balance sheet of at least €10 million?

   NIS2 applies to medium and large enterprises. Micro (< 10 employees, < €2M) and small (< 50 employees, < €10M) companies are generally exempt, unless they are critical infrastructure or named by member states.

   • Yes: Continue to: Do you operate in an Annex I highly critical sector with more than 250 employees OR turnover/balance sheet exceeding €50M?
   • No: Continue to: Is your company critical infrastructure regardless of size — e.g. a sole provider of a critical service in a member state, or a critical infrastructure operator named by your national authority?

4. Do you operate in an Annex I highly critical sector with more than 250 employees OR turnover/balance sheet exceeding €50M?

   If yes, you are likely an 'essential entity' with stricter obligations. If you're just above the 50/€10M threshold, you are probably an 'important entity' with lighter requirements.

   • Yes: Continue to: Do you have a documented incident response plan covering cybersecurity incidents that affect your services?
   • No: In NIS2 scope as important entity

5. Do you have a documented incident response plan covering cybersecurity incidents that affect your services?

   NIS2 requires essential and important entities to have incident response capabilities, including a plan for detecting, containing, and reporting significant incidents.

   • Yes: In NIS2 scope — check your full compliance posture
   • No: In NIS2 scope — incident response plan required

6. Is your company critical infrastructure regardless of size — e.g. a sole provider of a critical service in a member state, or a critical infrastructure operator named by your national authority?

   Member states can impose NIS2 on small and micro enterprises if they are the sole provider of a service essential to the economy or society.

   • Yes: In NIS2 scope — critical infrastructure exception
   • No: Below NIS2 size thresholds — generally exempt